CMMC vs NIST SP-800.171: Understand the Difference Between Them

CMMC vs NIST SP-800.171: Understand the Difference Between Them

The U.S. Department of Defense (DoD) is facing increasingly complex cybersecurity threats that threaten not only the defense industrial base (DIB) but also the security of the entire nation, as well as its allies and partners. To enhance its cybersecurity posture, the DoD is migrating to a new set of cybersecurity standards, the Cybersecurity Maturity Model Certification (CMMC).

From a distance, CMMC seems a lot like an updated version of the NIST SP-800-171 standards, which also aim to strengthen the cybersecurity posture of the DIB and its approximately 300,000 contractors. However, there are many important differences between the two sets of cybersecurity standards that all DoD contractors and subcontractors need to understand.

What Is NIST 800.171?

Since January 1, 2018, DoD contractors have been required to comply with the NIST SP-800-171 standards to protect Controlled Unclassified Information (CUI).

The National Archives and Records Administration (NARA) defines CUI as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

Even though it’s been almost three years since the requirement to comply with the NIST SP-800-171 came into force, the compliance rate across the DIB remained very low, with less than 1% of contractors adopting all 110 requirements recommended in the NIST SP-800-171 to ensure the confidentiality of CUI.

To address this issue, the Office of the Undersecretary of Defense for Acquisition and Sustainment took it upon itself to come up with a more flexible alternative to the NIST SP-800-171, one that would move away from the one-size-fits-all approach and ensure that all DoD contractors possess the necessary cybersecurity defenses to protect CUI.

What is CMMC?

The first version of the Cybersecurity Maturity Model Certification, CMMC Model version 1.0, was released by the DoD on January 31, 2020, bringing together a number of older cybersecurity requirements and introducing a verification mechanism to remedy the systemic issue of non-compliance.

Despite being derived largely from the NIST SP-800-171 standards, CMMC differs from them in several key areas:

  • Contractors are required to become certified by a third-party assessor, the so-called Certified 3rd Party Assessment Organization (C3PAO), to one of the five levels. While contractors are encouraged to complete a self-assessment prior to scheduling a CMMC certification, they can’t self-certify.
  • Instead of requiring all DoD contractors to implement the same cybersecurity defenses, CMMC defines five certification levels, allowing each contractor to decide which level they want to certify to. The five certification levels are cumulative, so any contractor who achieves compliance with, let’s say, Level 3 automatically complies with Level 2 and Level 1, as well.

Here’s an overview of the five CMMC levels:

  • CMMC Level 1: Focusing on basic cybersecurity requirements, such as the use of strong passwords, this level covers approximately 15% of the NIST SP-800-171 CUI controls. The vast majority of DoD contractors should be able to certify to this level without any issues.
  • CMMC Level 2: This level covers more than half of the NIST SP-800-171 CUI controls. It’s often described as a transition step toward Level 3.
  • CMMC Level 3: Covering all 110 NIST SP-800-171 CUI controls, contractors certifying to this level must be able to demonstrate good cyber hygiene.
  • CMMC Level 4: This is where cybersecurity practices shift from passive to proactive in order to address the danger represented by advanced persistent threats (APTs).
  • CMMC Level 5: The highest CMMC level includes highly advanced cybersecurity practices and cybersecurity standards that only select contractors are expected to meet.

Most DoD contractors won’t ever be required to go beyond CMMC Level 3. That’s good news because it’s easily possible to achieve compliance with it without employing a full-time security person. Instead, contractors can partner with a managed service provider (MSP) and let them put in place the necessary cybersecurity defenses to meet regulatory requirements and protect CUI from unintended disclosure.

Contact us at Aligned Technology Solutions for more information about the Cybersecurity Maturity Model Certification and how we can help you become certified.


Do you know how much to budget for malware prevention and protection? Download our newest eBookGet the answer
+